What is IT risk management?
What is IT risk management?
IT risk management is a subset of enterprise risk management (ERM), designed to align IT risk with an organization’s risk appetite. IT Risk Management (ITRM) encompasses the policies, procedures and technologies necessary to reduce threats and vulnerabilities, while maintaining compliance with applicable regulatory requirements. In addition, ITRM seeks to limit the consequences of destructive events, such as security breaches.
Typically, ITRM focuses on risk identification and analysis, risk assessment and prioritization, and risk mitigation. As infrastructure, business priorities and threats are constantly evolving, IT risk management should be treated as an ongoing process.
How does IT risk management work?
Today, businesses face various risks. These include cybersecurity, privacy, operational and compliance risks, as well as risks to the company’s reputation and its bottom line. Although appetite and tolerance for risk vary from company to company, every organization must develop a risk management strategy. For IT teams, it’s about aligning IT risks with operational and business risk management, which is not an easy task.
The ITRM has many moving parts. Typically, it follows these steps:
- Collect the information needed to assess the risks
- Identify valuable assets across the organization and determine the potential consequences if assets are damaged by uncontrolled risk
- Identify internal / external threats and vulnerabilities and assess the likelihood that these vulnerabilities will be exploited
- Analyze the effectiveness of existing controls and decide if additional controls are needed
- Prioritize risks and remediation efforts
- Recommend controls
- Develop an IT infrastructure improvement strategy that will mitigate the most critical vulnerabilities
- Define mitigation processes
- Evaluate ITRM efforts and measure results
While the above steps are important, they can be time consuming and require extensive institutional knowledge to complete. IT teams can use frameworks to guide their efforts and achieve the best results. Frameworks provide a structured methodology for governance, assessment and risk response.
Popular frameworks include the following:
- ISACA IT Risk Framework
- COBIT (Control Objectives for Information and Related Technology) The COSO framework (Committee of Sponsoring Organizations of the Treadway Commission)
- Information Risk Factor Analysis (FAIR)
- ISO 27005
- ISO 31000
- NIST SP 800-39
What are the advantages and disadvantages of IT risk management?
When organizations take a risk-based approach to IT compliance, Studies show they reduce the likelihood of security incidents. This is just one reason why all organizations today should take IT risk management seriously.
Although ITRM frameworks provide useful guidance, it is easy for IT teams to suffer from “framework overload”. Veronica Rose, Director of the ISACA Board of Directors and Information Systems Auditor at Metropol Corp. Ltd., recommends using a combination of frames for the best results. For example, the ISACA risk IT framework aligns well with the COBIT 2019 framework, Rose said.
The complicated nature of ITRM frameworks, however, has led to the rise of ITRM products. Many organizations choose to use tools and / or services based on one or more ITRM frameworks. These offers generally aim to control IT and cybernetic risks, to comply with applicable regulations and to integrate ITRM into ERM.
ITRM tools can provide the following functionality:
- Automation and management of workflows
- Data integration and connectors
- Information and discovery and inventory of assets
- Identity and access management
- Risk analysis
- Management of regulatory and political content mapping
- Threat and vulnerability management integrations
- Incident management integration
- Risk remediation lifecycle
- Data loss prevention capabilities
- Real-time evaluations
Some tools, like Allgress Insight Risk Management Suite, ZenGRC, ServiceNow GRC, and OneTrust GRC, narrowly focus on the Governance, Risk, and Compliance (GRC) subset of ITRM, while others have broader applications. More comprehensive tools generally offer additional modules dedicated to specific areas of risk management. Popular ITRM tools include RSA Archer IT & Security Risk Management, ITRMBond by Diligent, IBM OpenPages with Watson, LogicManager, MetricStream, Lockpath Integrated Risk Management by NAVEX, and SAI360.
Whether organizations are trying to tackle ITRM internally using frameworks or deploy ITRM products, they should be looking for the same end result: achieve advanced asset monitoring, risk identification and mitigation. , compliance, performance, incident and business continuity management and decision making.
Examples of IT risk management products
Below are five examples of organizations that have deployed ITRM products to meet their risk management goals.
Gain visibility into compliance risks and practices: A bank with more than 22,000 employees, 1,200 branches and a range of banking, insurance, leasing and storage businesses needed better risk and compliance management practices than its spreadsheets and existing local systems could not support. The bank rolled out Archer’s operational risk management offering, followed by Archer Audit Management. By centralizing risk and compliance data on a single platform, the bank gained a consolidated, real-time view of risk and compliance across its business portfolio.
Align risk management with business objectives: A Fortune 500 company in a highly regulated industry needed to integrate its disparate risk management initiatives and align them with business goals. Using MetricStream’s enterprise-wide internal control and risk control platform, along with the platform’s compliance modules, the company identified and assessed key exposures at risk. In addition, the platform made it possible to measure, monitor and control business risk exposures at several organizational levels. The platform also validated the strength of internal controls and compliance with regulatory policies, while ensuring accountability by enforcing the flow of information and records.
Close the gaps in risk management and compliance: A P&C insurance company needed to understand the gaps in its risk management and compliance program. The company started with LogicManager’s ERM offering, which aims to collect and share risk information, uncover the root causes of risk, and re-aggregate information. Using this ERM approach in combination with the gap analysis method recommended by the RIMS Risk Maturity Model, the insurance company could identify critical business needs and allocate resources accordingly.
Standardize the risk management approach: A green energy consultant and service provider needed a better way to stay on top of Environmental, Health and Safety (EHS) performance and risk across the organization. Its existing approach, which used spreadsheets, Word documents and an older incident management system, was inadequate for measuring risk and understanding responsibilities. The company implemented the EHS and operational risk management platform of SAI360. The platform consisted of four modules: audit management, behavior-based security, incident management and risk management. The combined modules have improved the planning and follow-up of company audits; provided safety reports based on prevention; created a single source of truth for recording and responding to incidents and events; and aligned the risk management process with established standards.
Improve the overall management of the RCMP: An international supplier of analytics software and technology needed its global GRC management to meet the requirements of the EU General Data Protection Regulation and ISO 27001 information security standard. The company has implemented OneTrust GRC. The team could then link controls and risk mitigation efforts between standards and regulations, reducing the time and effort spent on risk management. In addition, the platform’s audit management module helped the company prioritize actions and adopt a more risk-based audit approach.